Summer Slacking: 8 Security Mistakes Your Users Are Making


Posted on by Ryan Berg

As an IT professional, you’re expected to be always on. But for your users, it’s summertime, and that means BBQ’s and beer (although in Texas that’s pretty much year round.) With cookouts to host and vacations to plan, following your company’s security policies to the letter isn’t going to be the first thing on your users’ minds. 

Here are seven mistakes your users are prone to making during the quiet summer hours, along with solutions to combat them:

Mistake: Using personal devices for working remotely.

Few of us really work 9 to 5 these days, and it’s all too common for employees to check work email from a personal device.

Data on work devices may be secured by you, the seasoned IT pro, but data that finds its way to personal devices unfortunately is not. Between mobile application settings and general connectivity, it’s likely that the information that employees access will be left open to security risks.

Solution: If employees have to use a personal device to work remotely, make sure you have the right policies and procedures in place to both inform and educate your users on what to do—and what not to do. Is checking the latest financials from a rented phone in a foreign country on the what-not-to-do list? If not, I can assure you it’s bound to happen.

Mistake: Using work devices as personal devices.

It can be tempting while you’re traveling or on vacation to use a work phone or laptop for something other than work. Maybe it’s more convenient, and besides, what harm could it cause? The risk, of course, is if you inadvertently visit a fake travel or banking website, you can wind up infecting not only your machine, but your company’s entire network. 

Solution: Remind users work devices are for work only. That means no personal use and no family use, either (I have to tell my kids, sorry, they can’t use my work phone all the time.) Better yet, encourage employees to actually unplug during vacations and leave work devices at work!

Mistake: Using public Wi-Fi.

Open Wi-Fi networks are easy bait for an attacker. Although employees may not consider all communication to be highly sensitive, they should understand the implications of sharing any data over an unknown connection.

Solution: Rather than connecting to public Wi-Fi, users should set up a personal hotspot from their phone and connect via Bluetooth. This option creates a more secure connection and encrypts communication, protecting data from undisclosed attackers.

It’s important to change your device’s default password when you do it, too—just in case. While this may require a larger data plan, you should just remind yourself what public Wi-Fi really means. It’s kind of like an episode to Naked and Afraid (the name of that TV show says it all).

Mistake: Not using a virtual private network. 

While most IT professionals understand the importance of using a virtual private network, do your employees? A VPN secures connectivity between office locations and groups of devices, making it more difficult for a hacker to access. VPNs also ensure the data being sent sending is both encrypted and shared over a secure connection.

Solution: If you really want your remote employees to stay safe you should make an enterprise VPN available to support them. Explain to them the importance of making sure all traffic while connected to the VPN is routed through the VPN. That way, they can ensure any and all company security safeguards remain in place. 

Mistake: Falling for clickbait.

Getting ready to book that last-minute tropical vacation? Fair warning: Clickbait is everywhere. A click on that “What Vacation Location Fits You Best?” quiz on the right-hand side of your screen may actually share personal information from your device with unknown parties, putting your privacy and your security at risk.

Solution: Educate employees on common signs of data-stealing sites and remind them to avoid clicking any questionable links they may come across while surfing the web without checking the destination URL first. Remember: check twice, click once.

Mistake: Losing work devices.

Loss or theft of work devices has been to blame for a number of data breaches. Employees who decide to bring their work laptop along for relaxing poolside should be careful and prepared. A stolen and/or hacked device can be the easy “in” an attacker needs in order to breach an organization’s network. 

Solution: Be sure to keep work devices secure or in sight at all times, and further protect data with both encryption and a strong password. In the event of a theft make sure you have kept important work off of the device—in another secure location or file share.

Mistake: Providing colleague email addresses in out-of-office replies.

It’s common practice to include a co-worker’s contact information in an automatic out-of-office reply. However, these replies can give a criminal a new name and email to target in phishing and other social engineering attacks.

Example:

Dear Co-Worker,

As you know I am out of town and need access to my account, unfortunately I don’t have my work computer, could you reset my password to password at let me know? I have to get this proposal out ASAP and back to piña coladas.

Thanks,

Bill

Solution: It’s important for employees to keep in mind that the amount of data shared and communicated by out-of-office messages may have a further reach than expected. To remedy this potential risk, recommend against sharing any sensitive data in out-of-office notes or set automatic replies to reach only specific distribution lists. Just like sharing your vacation status on Facebook can put your home at risk, letting the wrong people know you are away from the office can lead to very targeted campaigns.

Mistake: Not installing updates

We may all rush to beat the traffic to the beach on a Friday, but be sure employees aren’t neglecting those security software updates. Abandoning security updates puts both devices and the network at risk of data loss. Although some organizations may utilize a patch system for securing multiple devices, the general health of device security is dependent on installing the latest software update.

Solution: Communicate the importance of and teach employees to set security updates to run the night before leaving for vacation. Even better, invest in ways of automating patch and update management as much as possible.

Be sure to keep these security tricks in your back pocket for the last few weeks of summer. Although there are many benefits to protecting your data, the best may be your cybersecurity peace of mind while enjoying those remaining sunny days.

Contributors
Ryan Berg

Chief Scientist, Barkly

security awareness professional development & workforce

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs